> It's true that information travels this way, but the "leaky" request > will never be made unless attacker.com is in the Request-Target > whitelist. So there is no leak.
Ah! You're right, I had confused that for some reason. If all requests are still covered by Request-Target, then we're good for that kind of leak. (I was somehow thinking that you were talking about checking only POST requests, which was why the concern.) Looking at it again, the thing I think might be missing from Request- Target is the "other side" that you do for scripts with Request-Source (or that flash does with crossdomain.xml). There's no way for the external content provider to say "no, that's an action-causing script, we don't let other people use that" on requests that are "safe". I think if you put that in, you'd be able to stop more XSRF than you can with only the one check. Example: 1. A portal site includes info from a social networking site (ie - your friends' latest updates). 2. It puts *.social into its Request-Target list because it wants things to "just work" and that seems easiest. 3. Said portal site has an XSS exploit and someone inserts XSRF code for use on the social site. 4. It works when someone visits that page. If the social site can use Request-Source so say "no" when someone tries to do a GET on say *.action.social, then we can block a few more attacks. But Request-Source doesn't cover GET requests. >So there's a possible risk for people who don't review the contents of >their cart before hitting "Buy"? :-) *laugh* I know, the prospect is terrifying. ;) But adding an item to a cart and adding a friend are very similar actions, and the latter might have privacy implications. I've definitely seen a simple karma-adding exploit on Joomla. Which is just amusing and harmless unless, for example, you're using that karma to determine whose stories get auto-posted to the front page of a site. And as I said, I've seen forum software (my fuzzy memory says it was also joomla, but it could have been phpbb or another package) that allowed posting using a GET request (because there was no check to see if the variables came in through post or GET -- php is awfully friendly to this...). Terri _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
